Portier – An email-based, passwordless authentication service

Hi! A few of us have been hacking on this scaled-down, spiritual successor to Persona.<p>The core idea is that you treat this (self-hostable!) microservice like a black box: email address goes in, validated proof of identity comes out. No passwords, and no secrets to store in your application’s database. The service itself is also effectively stateless: aside from caching, the longest lived key in Redis has a TTL of 15 minutes, and no other datastore is required. So it should scale pretty reasonably, and be easy enough to administer for hobbyists.<p>Behind the scenes, it works similarly to a password reset or passwordless login workflow, but with progressive enhancement so that, e.g., Gmail users go through Google Sign-In instead of having to check their email.

Postmark just dropped our outbound email for high bounce rates. Falling back to SendGrid :&#x2F; Try again in 5 minutes.<p>Edit: Ask HN: Any suggestions for solving this? Hitting the frontpage means people are spamming the login form with bogus addresses like a@a.com that bounce and cause trouble for us and the ESPs. Not ideal, but I&#x27;m not sure how to solve this for a small scale side-project. Discussion in <a href="https:&#x2F;&#x2F;github.com&#x2F;portier&#x2F;portier-broker&#x2F;issues&#x2F;96" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;portier&#x2F;portier-broker&#x2F;issues&#x2F;96</a>

Real question here is &#x27;why isn&#x27;t auth built in to the browser&#x27;. Lack of browser support is the reason oauth is so complicated (it relies on HTTP redirect to pass information around).<p>Imagine a web experience sans cookies and sans JS. If you take into account the economics of content, it can only happen with browser-mediated login.

Note that Mozilla Persona did not support passwordless authentication. Specifically, you would still need to create a Persona password if you didn’t use a Gmail&#x2F;Yahoo email address.<p>I’ve tested this service with one of those 10-minute emails and it seems to work without any passwords, so true passwordless authentication.

I tried purely email based authentication in the past, unfortunately our domain for whatever reason wasn&#x27;t deemed beyond reproach by gmail et al. At first it they blocked around 5% of emails eventually this went up to nearly 9%, aside from those that got blocked some just disappeared into a void after being accepted by gmail and took upwards of 20 mins to a few hours to be delivered.

Is there a process for migrating to a different email address?<p>Let&#x27;s say I used my work address to sign into a bunch of stuff, but then I leave my job and I lose access to my email address? Or say I&#x27;m migrating from using @gmail.com for everything to using my own domain?

Cool! Caddy webserver supports something similar I think —minus the google sign-in: <a href="https:&#x2F;&#x2F;caddyserver.com&#x2F;docs&#x2F;multipass" rel="nofollow">https:&#x2F;&#x2F;caddyserver.com&#x2F;docs&#x2F;multipass</a>

Is it possible to create an email-like service that doesn&#x27;t actually handle email, but only serves as an identity endpoint to be used with Portier?<p>Like, say, I create an account that reads &quot;me@fiatjaf.com&quot; and implement something on my fiatjaf.com server so that I can use it to login using Portier?

Maybe I&#x27;m heavily misunderstanding how this whole thing works, but isn&#x27;t it basically a django-allauth&#x2F;passport.js&#x2F;omniauth&#x2F;... packed as a [micro]service, with an &quot;click link in email&quot; for the fallback algorithm, and a planned &quot;self-hosted&quot; option (not sure how it would be any conceptually different from classic OpenID)?<p>Calling this a spiritual successor to Persona looks like a big stretch to me... Maybe I got it all wrong, though.<p>(And still I don&#x27;t like it anyway, because my pet peeve is not having identity <i>providers</i> at all - one&#x27;s identity must be something they can actually <i>own</i>, not something they lease from a provider, be it an email service or domain registrar...)

I hope the needs of providers like Fastmail (who provide services at users domains) are top of mind for the people behind this project as it&#x27;s difficult to see it getting traction if it can&#x27;t be deployed en-mass by hosting providers.

I dream of the day all logins are just simple tokens. Either sent through email, or SMS. So sick of passwords. I&#x27;ve used other Passwordless libraries on a few projects, and it&#x27;s almost cathartic.

This sounds an awful lot like OpenID (2). What makes it different? My OpenID login (aka XRI i-name) is &quot;=chris.hills&quot; and works on sites that support it.

Emails are not unique, lots of companies assign employees emails that would later be used by another person.

How do you pronounce it?

Are there any free public servers we can use for side-projects?